diff -Pubr x/linux-2.4.26/Documentation/Configure.help linux-2.4.26/Documentation/Configure.help --- x/linux-2.4.26/Documentation/Configure.help Mon Aug 30 21:13:24 2004 +++ linux-2.4.26/Documentation/Configure.help Mon Aug 30 19:52:10 2004 @@ -2860,6 +2860,15 @@ If you want to compile it as a module, say M here and read . If unsure, say `N'. +Random match support +CONFIG_IP_NF_MATCH_RANDOM + This option adds a `random' match, + which allow you to match packets randomly + following a given probability. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `N'. + Netfilter MARK match support CONFIG_IP_NF_MATCH_MARK Netfilter mark matching allows you to match packets based on the @@ -3160,6 +3169,7 @@ If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `Y'. + TCPMSS match support CONFIG_IP_NF_MATCH_TCPMSS This option adds a `tcpmss' match, which allows you to examine the @@ -3228,6 +3238,14 @@ If you want to compile it as a module, say M here and read . If unsure, say `N'. + +CONFIG_IP6_NF_MATCH_RANDOM + This option adds a `random' match, + which allow you to match packets randomly + following a given probability. + + If you want to compile it as a module, say M here and read + Documentation/modules.txt. If unsure, say `N'. length match support CONFIG_IP6_NF_MATCH_LENGTH diff -Pubr x/linux-2.4.26/include/linux/netfilter_ipv4/ipt_random.h linux-2.4.26/include/linux/netfilter_ipv4/ipt_random.h --- x/linux-2.4.26/include/linux/netfilter_ipv4/ipt_random.h Thu Jan 1 10:00:00 1970 +++ linux-2.4.26/include/linux/netfilter_ipv4/ipt_random.h Mon Aug 30 19:54:06 2004 @@ -0,0 +1,11 @@ +#ifndef _IPT_RAND_H +#define _IPT_RAND_H + +#include +#include + +struct ipt_rand_info { + u_int8_t average; +}; + +#endif /*_IPT_RAND_H*/ diff -Pubr x/linux-2.4.26/include/linux/netfilter_ipv6/ip6t_random.h linux-2.4.26/include/linux/netfilter_ipv6/ip6t_random.h --- x/linux-2.4.26/include/linux/netfilter_ipv6/ip6t_random.h Thu Jan 1 10:00:00 1970 +++ linux-2.4.26/include/linux/netfilter_ipv6/ip6t_random.h Mon Aug 30 19:54:22 2004 @@ -0,0 +1,11 @@ +#ifndef _IP6T_RAND_H +#define _IP6T_RAND_H + +#include +#include + +struct ip6t_rand_info { + u_int8_t average; +}; + +#endif /*_IP6T_RAND_H*/ diff -Pubr x/linux-2.4.26/net/ipv4/netfilter/Config.in linux-2.4.26/net/ipv4/netfilter/Config.in --- x/linux-2.4.26/net/ipv4/netfilter/Config.in Mon Aug 30 21:13:24 2004 +++ linux-2.4.26/net/ipv4/netfilter/Config.in Mon Aug 30 19:56:46 2004 @@ -24,6 +24,7 @@ dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES dep_tristate ' Multiple port match support' CONFIG_IP_NF_MATCH_MULTIPORT $CONFIG_IP_NF_IPTABLES dep_tristate ' TOS match support' CONFIG_IP_NF_MATCH_TOS $CONFIG_IP_NF_IPTABLES + dep_tristate ' random match support' CONFIG_IP_NF_MATCH_RANDOM $CONFIG_IP_NF_IPTABLES dep_tristate ' recent match support' CONFIG_IP_NF_MATCH_RECENT $CONFIG_IP_NF_IPTABLES dep_tristate ' ECN match support' CONFIG_IP_NF_MATCH_ECN $CONFIG_IP_NF_IPTABLES diff -Pubr x/linux-2.4.26/net/ipv4/netfilter/Makefile linux-2.4.26/net/ipv4/netfilter/Makefile --- x/linux-2.4.26/net/ipv4/netfilter/Makefile Mon Aug 30 21:13:24 2004 +++ linux-2.4.26/net/ipv4/netfilter/Makefile Mon Aug 30 19:59:26 2004 @@ -73,6 +73,8 @@ obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o +obj-$(CONFIG_IP_NF_MATCH_RANDOM) += ipt_random.o + obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o diff -Pubr x/linux-2.4.26/net/ipv4/netfilter/ipt_random.c linux-2.4.26/net/ipv4/netfilter/ipt_random.c --- x/linux-2.4.26/net/ipv4/netfilter/ipt_random.c Thu Jan 1 10:00:00 1970 +++ linux-2.4.26/net/ipv4/netfilter/ipt_random.c Mon Aug 30 19:54:48 2004 @@ -0,0 +1,96 @@ +/* + This is a module which is used for a "random" match support. + This file is distributed under the terms of the GNU General Public + License (GPL). Copies of the GPL can be obtained from: + ftp://prep.ai.mit.edu/pub/gnu/GPL + + 2001-10-14 Fabrice MARIE : initial implementation. +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); + +static int +ipt_rand_match(const struct sk_buff *pskb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + const void *hdr, + u_int16_t datalen, + int *hotdrop) +{ + /* Parameters from userspace */ + const struct ipt_rand_info *info = matchinfo; + u_int8_t random_number; + + /* get 1 random number from the kernel random number generation routine */ + get_random_bytes((void *)(&random_number), 1); + + /* Do we match ? */ + if (random_number <= info->average) + return 1; + else + return 0; +} + +static int +ipt_rand_checkentry(const char *tablename, + const struct ipt_ip *e, + void *matchinfo, + unsigned int matchsize, + unsigned int hook_mask) +{ + /* Parameters from userspace */ + const struct ipt_rand_info *info = matchinfo; + + if (matchsize != IPT_ALIGN(sizeof(struct ipt_rand_info))) { + printk("ipt_random: matchsize %u != %u\n", matchsize, + IPT_ALIGN(sizeof(struct ipt_rand_info))); + return 0; + } + + /* must be 1 <= average % <= 99 */ + /* 1 x 2.55 = 2 */ + /* 99 x 2.55 = 252 */ + if ((info->average < 2) || (info->average > 252)) { + printk("ipt_random: invalid average %u\n", info->average); + return 0; + } + + return 1; +} + +static struct ipt_match ipt_rand_reg = { + {NULL, NULL}, + "random", + ipt_rand_match, + ipt_rand_checkentry, + NULL, + THIS_MODULE }; + +static int __init init(void) +{ + if (ipt_register_match(&ipt_rand_reg)) + return -EINVAL; + + printk("ipt_random match loaded\n"); + return 0; +} + +static void __exit fini(void) +{ + ipt_unregister_match(&ipt_rand_reg); + printk("ipt_random match unloaded\n"); +} + +module_init(init); +module_exit(fini); diff -Pubr x/linux-2.4.26/net/ipv6/netfilter/Config.in linux-2.4.26/net/ipv6/netfilter/Config.in --- x/linux-2.4.26/net/ipv6/netfilter/Config.in Sat Jun 14 00:51:39 2003 +++ linux-2.4.26/net/ipv6/netfilter/Config.in Mon Aug 30 20:01:52 2004 @@ -18,6 +18,7 @@ # The simple matches. dep_tristate ' limit match support' CONFIG_IP6_NF_MATCH_LIMIT $CONFIG_IP6_NF_IPTABLES dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES + dep_tristate ' Random match support' CONFIG_IP6_NF_MATCH_RANDOM $CONFIG_IP6_NF_IPTABLES if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then dep_tristate ' Routing header match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_RT $CONFIG_IP6_NF_IPTABLES fi diff -Pubr x/linux-2.4.26/net/ipv6/netfilter/Makefile linux-2.4.26/net/ipv6/netfilter/Makefile --- x/linux-2.4.26/net/ipv6/netfilter/Makefile Sat Jun 14 00:51:39 2003 +++ linux-2.4.26/net/ipv6/netfilter/Makefile Mon Aug 30 20:02:36 2004 @@ -30,6 +30,7 @@ obj-$(CONFIG_IP6_NF_TARGET_MARK) += ip6t_MARK.o obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o +obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o include $(TOPDIR)/Rules.make diff -Pubr x/linux-2.4.26/net/ipv6/netfilter/ip6t_random.c linux-2.4.26/net/ipv6/netfilter/ip6t_random.c --- x/linux-2.4.26/net/ipv6/netfilter/ip6t_random.c Thu Jan 1 10:00:00 1970 +++ linux-2.4.26/net/ipv6/netfilter/ip6t_random.c Mon Aug 30 20:00:23 2004 @@ -0,0 +1,97 @@ +/* + This is a module which is used for a "random" match support. + This file is distributed under the terms of the GNU General Public + License (GPL). Copies of the GPL can be obtained from: + ftp://prep.ai.mit.edu/pub/gnu/GPL + + 2001-10-14 Fabrice MARIE : initial implementation. + 2003-04-30 Maciej Soltysiak : IPv6 Port +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); + +static int +ip6t_rand_match(const struct sk_buff *pskb, + const struct net_device *in, + const struct net_device *out, + const void *matchinfo, + int offset, + const void *hdr, + u_int16_t datalen, + int *hotdrop) +{ + /* Parameters from userspace */ + const struct ip6t_rand_info *info = matchinfo; + u_int8_t random_number; + + /* get 1 random number from the kernel random number generation routine */ + get_random_bytes((void *)(&random_number), 1); + + /* Do we match ? */ + if (random_number <= info->average) + return 1; + else + return 0; +} + +static int +ip6t_rand_checkentry(const char *tablename, + const struct ip6t_ip6 *e, + void *matchinfo, + unsigned int matchsize, + unsigned int hook_mask) +{ + /* Parameters from userspace */ + const struct ip6t_rand_info *info = matchinfo; + + if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_rand_info))) { + printk("ip6t_random: matchsize %u != %u\n", matchsize, + IP6T_ALIGN(sizeof(struct ip6t_rand_info))); + return 0; + } + + /* must be 1 <= average % <= 99 */ + /* 1 x 2.55 = 2 */ + /* 99 x 2.55 = 252 */ + if ((info->average < 2) || (info->average > 252)) { + printk("ip6t_random: invalid average %u\n", info->average); + return 0; + } + + return 1; +} + +static struct ip6t_match ip6t_rand_reg = { + {NULL, NULL}, + "random", + ip6t_rand_match, + ip6t_rand_checkentry, + NULL, + THIS_MODULE }; + +static int __init init(void) +{ + if (ip6t_register_match(&ip6t_rand_reg)) + return -EINVAL; + + printk("ip6t_random match loaded\n"); + return 0; +} + +static void __exit fini(void) +{ + ip6t_unregister_match(&ip6t_rand_reg); + printk("ip6t_random match unloaded\n"); +} + +module_init(init); +module_exit(fini);